Overview

Request 1164241 superseded

Update to version 24.04.02.
This request will change the packaging from using a release tarball to generating the tarball directly from git to harden the package against supply chain attacks.
I would appreciate any feedback on this change and will leave the request open for a little bit.

Martin Pluskal's avatar
Martin Pluskal (pluskalm) -
target maintainer

why have source twice (as tarball and obscpio)?

Simon Vogl's avatar
Simon Vogl (DarkWav) -
author source maintainer target maintainer

Thanks for the heads up, should I simply delete the obscpio and handle it like this package: https://build.opensuse.org/package/show/openSUSE:Factory/plymouth

Martin Pluskal's avatar
Martin Pluskal (pluskalm) -
target maintainer

I would suggest otherwise - keep obscpio - see i.e https://build.opensuse.org/package/show/network:cryptocurrencies/xmrig but tarball will work as well (see i.e https://build.opensuse.org/package/show/Base:System/thin-provisioning-tools)

Simon Vogl's avatar
Simon Vogl (DarkWav) -
author source maintainer target maintainer

Thanks for the suggestion, I have made a new request that will (hopefully) handle tarball generation better: https://build.opensuse.org/request/show/1165380

Request History
Simon Vogl's avatar

DarkWav created request

Update to version 24.04.02.
This request will change the packaging from using a release tarball to generating the tarball directly from git to harden the package against supply chain attacks.
I would appreciate any feedback on this change and will leave the request open for a little bit.

Simon Vogl's avatar

DarkWav superseded request

openSUSE Build Service is sponsored by
Places